CVE-2026-3663 identifies an out-of-bounds read vulnerability in the xlnt-community xlnt library, versions 1.6.0 and 1.6.1, which is an open-source C++ library used for reading and writing XLSX spreadsheet files. The vulnerability resides in the function xlnt::detail::compound_document_istreambuf::xsgetn, located in the compound_document.cpp file within the cryptography-related compound document parsing code. This function is responsible for reading data streams from compound document structures, which are part of the XLSX file format internals. Due to improper bounds checking, an attacker with local access and low privileges can manipulate input to cause the function to read memory outside the allocated buffer, leading to an out-of-bounds read condition. This can result in exposure of sensitive memory contents or cause application crashes due to invalid memory access. The attack vector requires local access and low privileges but does not require user interaction or elevated privileges. The vulnerability has been publicly disclosed, and a patch (identified as patch 147) has been released to fix the issue by correcting the bounds checking logic. The CVSS 4.0 base score is 4.8, indicating a medium severity level with limited impact on confidentiality and availability, and no impact on integrity. No known exploits are currently active in the wild, but the public disclosure increases the risk of exploitation attempts. The vulnerability affects applications and systems that embed or use xlnt for XLSX file parsing, particularly those processing untrusted XLSX files locally.

The primary impact of CVE-2026-3663 is the potential exposure of sensitive information through out-of-bounds memory reads when parsing malicious XLSX files using the vulnerable xlnt library versions. This can lead to leakage of memory contents that may include sensitive data, credentials, or internal application state. Additionally, the out-of-bounds read may cause application instability or crashes, potentially resulting in denial of service conditions. Since exploitation requires local access with low privileges, remote attackers cannot directly exploit this vulnerability without first gaining local access, limiting its scope. However, in multi-user environments or shared systems where untrusted XLSX files are processed locally, this vulnerability could be leveraged by malicious users to escalate information disclosure risks. Organizations relying on xlnt for XLSX file handling in desktop applications, automated processing pipelines, or embedded systems may face confidentiality risks and operational disruptions if unpatched. The absence of known exploits in the wild reduces immediate risk, but public availability of the exploit code increases the likelihood of future attacks.

To mitigate CVE-2026-3663, organizations should promptly apply the official patch (patch 147) provided by the xlnt-community that corrects the out-of-bounds read issue in the compound_document_istreambuf::xsgetn function. If patching is not immediately feasible, consider the following additional measures: restrict local access to systems processing XLSX files with xlnt to trusted users only; implement strict file validation and sandboxing for XLSX files before processing to prevent malicious inputs; monitor and audit local user activities related to XLSX file handling; and update all dependent software components that embed xlnt to their latest secure versions. Developers integrating xlnt should review their usage patterns to ensure no untrusted XLSX files are processed without proper validation. Employing memory safety tools or runtime protections such as AddressSanitizer during development and testing can help detect similar issues proactively. Finally, maintain awareness of vendor advisories and subscribe to security mailing lists for timely updates.